Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

EU Offers Bug Bounties For 14 Open Source Projects

As the bug bounty programs begin to roll out in January, security experts worry that the programs miss the mark on truly securing open source projects.

The European Commission in January is funding 14 bug bounty programs in hopes of sniffing out vulnerabilities in the free open source projects that EU institutions rely on.

The bug bounty programs span 14 open source software projects and offers a total of almost $1 million for all bounties combined. The bug bounty programs have varying rewards, start and end dates, and platforms. The first bug bounty programs – for Filezilla, Apache Kafka, Notepad++, PuTTy, and VLC Media Player – begin next week on Jan. 7.

The initiative stems back to the Free and Open Source Software Audit project (FOSSA), first created by European Parliament member Julia Reda. Reda proposed FOSSA with the hopes of securing open source software, after the Heartbleed vulnerability was discovered in open source encryption library OpenSSL in 2014.

Heartbleed not only impacted OpenSSL, but also the other software that the library provided functions to – and the bug also highlighted the security issues in software widely used across the Commission.

“Like many other organisations, institutions like the European Parliament, the Council and the Commission build upon Free Software to run their websites and many other things,” said Reda in a post about FOSSA. “But the Internet is not only crucial to our economy and our administration. It is the infrastructure that runs our every day lives. It is the means we use to retrieve information and to be politically active.”

The project’s first iteration, between 2015 to 2016, launched several security audits, listed which free software the EU runs on, and analyzed how software developers maintain security in their projects. In 2017, the EU developed several bug bounty programs to hunt out vulnerabilities in the open source programs utilized by EU institutions. In November 2017, the Commission announced to run the first bug bounty on VLC Media Player as a proof of concept.

Here is the full list of software projects that will have bug bounty programs:PuTTY and Drupal have the two largest bug bounties, offering 90,000 Euro ($102,000) and 89,000 Euro ($101,000) respectively. The timeframes of the bug bounties also vary – PuTTY’s bug bounty program will remain active until Dec. 15, while Drupal’s will go until Oct. 15, 2020.

Lingering Concerns

While the EU hailed the bug bounty programs as a step in the right direction, some worry that open source software needs to rely on more than merely bug bounty programs to build up security.

Katie Moussouris, founder of Luta Security, said on Twitter that “a #bugbounty on open source projects that don’t get any funding for additional maintainers is likely to decimate the volunteer maintainer labor pipeline of the future”.

I disagree that it's a good thing on its own.Where is the money for more paid maintainers?Oops.It's not there.A #bugbounty on open source projects that don't get any funding for additional maintainers is likely to decimate the volunteer maintainer labor pipeline of the future https://t.co/1YgwDNeFXM

The issue of using bug bounty programs as a final solution when it comes to security – as opposed to as a means to an end – has been touched on several times in the past few years.

Josh Bressers, head of Product Security at Elastic, said in his blog one issue is that the EU doesn’t have a way to pay the projects today, but they do have a way to pay security bug bounties. They instead should be focusing on a “next step” that will give the projects resources to secure themselves.

“If nothing changes and bug bounties are the only way to spend money on open source, this will fizzle out as there isn’t going to be a massive return on investment,” he said. “The projects are already overworked, they don’t need a bunch of new bugs to fix…Resources aren’t always money, sometimes it’s help, sometimes it’s gear, sometimes it’s pizza. An organization like the EU has money, they need help turning that into something useful to an open source project.”

Discussion

Not only that good menaged open source projects don't need wild ghost hunt's but the sum is pitiful. Ad a digit & employ dozens of programmer's to actually work on code improvements per listed project on a year or so.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.